1.1 Purpose Of The Risk Management Plan
The purpose of this risk management plan is to identify the threats and vulnerabilities that could impact the network. These threats can have a serious impact on the business operations and do financial harm. Once these threats and vulnerabilities have been identified, a plan of action must be made to reduce the impact they have on the network. 1. RISK MANAGEMENT PROCEDURE
The project manager working with the project team will identify all threats and vulnerabilities. A risk analysis will be performed to determine the cost, impact, and likelihood of each threat. Mitigation techniques will be used to reduce the impact of each threat. The risk management plan will continue to be monitored and reviewed to ensure the plan is effective.
This project will encompass the IT department. Its goal is to protect the assets in place in the company. These may include proprietary data, servers, workstations, laptops, printers/fax machines, applications, and so on.
1.4 Risk Identification
Each threat and vulnerability needs to be identified so research and analysis can be done to assign mitigation tools to reduce the risk of each one. 1.5 Risk Monitoring, Controlling, And Reporting
The level of risk on a project will be tracked, monitored and reported throughout the project lifecycle. Any changes made to the network or any new threats identified will cause the need for a revision to the risk management plan.
2. RISK ASSESSMENT APPROACHES
All assets in the company need to be identified to determine their value. Risks, threats, and vulnerabilities also need to be assessed to determine their cost to the company. Calculating the cost of each risk and the cost of the countermeasures to mitigate the risks is a key component of the risk assessment process. 1.6 Qualitative Risk Analysis
The probability and impact of occurrence for each identified risk will be assessed by the project manager, with input from the project team using the following approach:
High – Greater than 70 probability of occurrence
Medium – Between 30 and 70 probability of occurrence
Low – Below 30 probability of occurrence
High – Risk that has the potential to greatly impact project cost, project schedule or performance Medium – Risk that has the potential to slightly impact project cost, project schedule or performance Low – Risk that has relatively little impact on cost, schedule or performance
3.2 Quantitative Risk Analysis
Analysis of risk events that have been prioritized using the qualitative risk analysis process and their effect on project activities will be estimated, a numerical rating applied to each risk based on this analysis, and then documented in this section of the risk management plan. Use the single loss expectancy (SLE), the annual rate of occurrence (ARO), and annual loss expectancy (ALE) to determine loss values. Use the safeguard value to determine the cost of the controls you wish to implement.
4. COMPLIANCE LAWS
Since this company falls within the Defense Logistics Agency of the Department of Defense (DOD), we have to adhere to certain compliance laws and regulations. 4.1 DIACAP
The Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) is used for IT systems as a risk management process by the DOD. DIACAP lists five phases IT systems must go through to ensure compliance. They are as follows: Phase 1 – Initiate and Plan, Phase 2 – Implement and Validate, Phase 3 – Make Certification and Accreditation Decisions, Phase 4 – Maintain ATO/Review, and Phase 5 – Decommission.
The Federal Information Security Management Act (FISMA) was created to ensure that federal agencies properly protect their data. Agencies are responsible for protecting systems and data, complying with all elements of FISMA, and integrating security in all processes. FISMA requires annual inspection to make sure agencies stay compliant. Policies, practices, and procedures are tested and an assessment report is created listing the agencies compliance with FISMA along with other standards.
The National Institute of Standards and Technology (NIST) is a division of the U.S. Department of Commerce and its mission is to promote U.S. innovation and competitiveness. NIST hosts the Information Technology Laboratory (ITL) which develops standards and guidelines related to IT. One of the guidelines in the ITL, SP 800-30, is titled “Risk Management Guide for Information Technology” and is a valuable resource when planning a risk management strategy for your IT infrastructure.
5. KEY ROLES AND RESPONSIBILITIES
There are several people involved in the Risk Management process. Each person has specific tasks needed to be performed correctly and on time. Assigning specific tasks to different people ensures a level of accountability for each employee to complete the task. The assigned roles for this project are as follows: Senior Manager – Robert Griffin – Responsible for entire project. Develops strategy of risk management plan. Assigns IT Manager and allocates resources as necessary. Assesses results of risk IT Manager – Chris Cooley – Responsible for planning and budgeting of project. Assigns IT personnel to specific tasks and works with them to ensure risk management procedures are being met.
IT Employees – Fred Davis, Carlos Rodgers – Assigned tasks by IT Manager during risk assessment. Reports any changes in the workplace to IT Manager.